Fix unauthorized column reordering

Users could reorder columns they didn't have access to. Fixed by
limiting ColumnScoped to User::Accessor#accessible_columns.

References https://hackerone.com/reports/3449905
This commit is contained in:
Jeremy Daer
2025-12-03 13:00:49 -08:00
parent b26284402e
commit 9f6a4f1cc6
4 changed files with 28 additions and 1 deletions
+1 -1
View File
@@ -7,6 +7,6 @@ module ColumnScoped
private
def set_column
@column = Current.account.columns.find(params[:column_id])
@column = Current.user.accessible_columns.find(params[:column_id])
end
end